CVE-2026-44369: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in cvat-ai cvat
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.
AI Analysis
Technical Summary
The CVAT open source annotation tool suffers from an improper neutralization of script-related HTML tags (CWE-80) in annotation guides. Specifically, from versions 2.5.0 through 2.63.0, users with the ability to create or edit annotation guides can embed malicious JavaScript. When other users open these guides, the script runs in their browsers, potentially enabling unauthorized actions with their CVAT user privileges. This vulnerability is classified as a basic XSS and has a CVSS 4.0 score of 8.5 (high severity). The issue is resolved in CVAT version 2.64.0.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary JavaScript in the context of other users' browsers. This can lead to unauthorized actions performed with the victim's CVAT privileges, potentially compromising data integrity or confidentiality within the application. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade CVAT to version 2.64.0 or later, where this vulnerability is fixed. Since this is an application vulnerability, patching the software is the recommended and effective remediation. No vendor advisory contradicts this guidance.
CVE-2026-44369: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in cvat-ai cvat
Description
CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation guide. This code will be able to make arbitrary requests to CVAT with the victim user's privileges. This vulnerability is fixed in 2.64.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The CVAT open source annotation tool suffers from an improper neutralization of script-related HTML tags (CWE-80) in annotation guides. Specifically, from versions 2.5.0 through 2.63.0, users with the ability to create or edit annotation guides can embed malicious JavaScript. When other users open these guides, the script runs in their browsers, potentially enabling unauthorized actions with their CVAT user privileges. This vulnerability is classified as a basic XSS and has a CVSS 4.0 score of 8.5 (high severity). The issue is resolved in CVAT version 2.64.0.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary JavaScript in the context of other users' browsers. This can lead to unauthorized actions performed with the victim's CVAT privileges, potentially compromising data integrity or confidentiality within the application. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade CVAT to version 2.64.0 or later, where this vulnerability is fixed. Since this is an application vulnerability, patching the software is the recommended and effective remediation. No vendor advisory contradicts this guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T20:15:20.631Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04f25dcbff5d8610127f44
Added to database: 5/13/2026, 9:51:25 PM
Last enriched: 5/13/2026, 10:06:42 PM
Last updated: 5/14/2026, 6:48:19 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.